SUSE Security Update: Security update for java-11-openjdk
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:0221-1
Rating:             important
References:         #1120431 #1122293 #1122299 
Cross-References:   CVE-2018-11212 CVE-2019-2422 CVE-2019-2426
                   
Affected Products:
                    SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for java-11-openjdk to version 11.0.2+7 fixes the following
   issues:

   Security issues fixed:

   - CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293)
   - CVE-2019-2426: Improve web server connections
   - CVE-2018-11212: Improve JPEG processing (bsc#1122299)
   - Better route routing
   - Better interface enumeration
   - Better interface lists
   - Improve BigDecimal support
   - Improve robot support
   - Better icon support
   - Choose printer defaults
   - Proper allocation handling
   - Initial class initialization
   - More reliable p11 transactions
   - Improve NIO stability
   - Better loading of classloader classes
   - Strengthen Windows Access Bridge Support
   - Improved data set handling
   - Improved LSA authentication
   - Libsunmscapi improved interactions

   Non-security issues fix:

   - Do not resolve by default the added JavaEE modules (bsc#1120431)
   - ~2.5% regression on compression benchmark starting with 12-b11
   - java.net.http.HttpClient hangs on 204 reply without Content-length 0
   - Add additional TeliaSonera root certificate
   - Add more ld preloading related info to hs_error file on Linux
   - Add test to exercise server-side client hello processing
   - AES encrypt performance regression in jdk11b11
   - AIX: ProcessBuilder: Piping between created processes does not work.
   - AIX: Some class library files are missing the Classpath exception
   - AppCDS crashes for some uses with JRuby
   - Automate vtable/itable stub size calculation
   - BarrierSetC1::generate_referent_check() confuses register allocator
   - Better HTTP Redirection
   - Catastrophic size_t underflow in BitMap::*_large methods
   - Clip.isRunning() may return true after Clip.stop() was called
   - Compiler thread creation should be bounded by available space in memory
     and Code Cache
   - com.sun.net.httpserver.HttpServer returns Content-length header for 204
     response code
   - Default mask register for avx512 instructions
   - Delayed starting of debugging via jcmd
   - Disable all DES cipher suites
   - Disable anon and NULL cipher suites
   - Disable unsupported GCs for Zero
   - Epsilon alignment adjustments can overflow max TLAB size
   - Epsilon elastic TLAB sizing may cause misalignment
   - HotSpot update for vm_version.cpp to recognise updated VS2017
   - HttpClient does not retrieve files with large sizes over HTTP/1.1
   - IIOException "tEXt chunk length is not proper" on opening png file
   - Improve TLS connection stability again
   - InitialDirContext ctor sometimes throws NPE if the server has sent a
     disconnection
   - Inspect stack during error reporting
   - Instead of circle rendered in appl window, but ellipse is produced
     JEditor Pane
   - Introduce diagnostic flag to abort VM on failed JIT compilation
   - Invalid assert(HeapBaseMinAddress > 0) in
     ReservedHeapSpace::initialize_compressed_heap
   - jar has issues with UNC-path arguments for the jar -C parameter [windows]
   - java.net.http HTTP client should allow specifying Origin and Referer
     headers   - java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8
   - JDK 11.0.1 l10n resource file update
   - JDWP Transport Listener: dt_socket thread crash
   - JVMTI ResourceExhausted should not be posted in CompilerThread
   - LDAPS communication failure with jdk 1.8.0_181
   - linux: Poor StrictMath performance due to non-optimized compilation
   - Missing synchronization when reading counters for live threads and peak
     thread count
   - NPE in SupportedGroupsExtension
   - OpenDataException thrown when constructing CompositeData for
     StackTraceElement
   - Parent class loader may not have a referred ClassLoaderData instance
     when obtained in Klass::class_in_module_of_loader
   - Populate handlers while holding streamHandlerLock
   - ppc64: Enable POWER9 CPU detection
   - print_location is not reliable enough (printing register info)
   - Reconsider default option for ClassPathURLCheck change done in
     JDK-8195874
   - Register to register spill may use AVX 512 move instruction on
     unsupported platform.
   - s390: Use of shift operators not covered by cpp standard
   - serviceability/sa/TestUniverse.java#id0 intermittently fails with
     assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded
   - SIGBUS in CodeHeapState::print_names()
   - SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls
   - Soft reference reclamation race in
     com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator
   - Swing apps are slow if displaying from a remote source to many local
     displays
   - switch jtreg to 4.2b13
   - Test library OSInfo.getSolarisVersion cannot determine Solaris version
   - TestOptionsWithRanges.java is very slow
   - TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails
     intermittently
   - The Japanese message of FileNotFoundException garbled
   - The "supported_groups" extension in ServerHellos
   - ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to
     CompositeData
   - TimeZone.getDisplayName given Locale.US doesn't always honor the Locale.
   - TLS 1.2 Support algorithm in SunPKCS11 provider
   - TLS 1.3 handshake server name indication is missing on a session resume
   - TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and
     psk_key_exchange_modes
   - TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side
     with mutual auth
   - tz: Upgrade time-zone data to tzdata2018g
   - Undefined behaviour in ADLC
   - Update avx512 implementation
   - URLStreamHandler initialization race
   - UseCompressedOops requirement check fails fails on 32-bit system
   - windows: Update OS detection code to recognize Windows Server 2019
   - x86: assert on unbound assembler Labels used as branch targets
   - x86: jck tests for ldc2_w bytecode fail
   - x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
   - "-XX:OnOutOfMemoryError" uses fork instead of vfork


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:

      zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-221=1



Package List:

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64):

      java-11-openjdk-11.0.2.0-3.18.1
      java-11-openjdk-accessibility-11.0.2.0-3.18.1
      java-11-openjdk-accessibility-debuginfo-11.0.2.0-3.18.1
      java-11-openjdk-debuginfo-11.0.2.0-3.18.1
      java-11-openjdk-debugsource-11.0.2.0-3.18.1
      java-11-openjdk-demo-11.0.2.0-3.18.1
      java-11-openjdk-devel-11.0.2.0-3.18.1
      java-11-openjdk-headless-11.0.2.0-3.18.1
      java-11-openjdk-jmods-11.0.2.0-3.18.1
      java-11-openjdk-src-11.0.2.0-3.18.1

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch):

      java-11-openjdk-javadoc-11.0.2.0-3.18.1


References:

   https://www.suse.com/security/cve/CVE-2018-11212.html
   https://www.suse.com/security/cve/CVE-2019-2422.html
   https://www.suse.com/security/cve/CVE-2019-2426.html
   https://bugzilla.suse.com/1120431
   https://bugzilla.suse.com/1122293
   https://bugzilla.suse.com/1122299

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates

SUSE: 2019:0221-1 important: java-11-openjdk

February 1, 2019
An update that fixes three vulnerabilities is now available

Summary

This update for java-11-openjdk to version 11.0.2+7 fixes the following issues: Security issues fixed: - CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293) - CVE-2019-2426: Improve web server connections - CVE-2018-11212: Improve JPEG processing (bsc#1122299) - Better route routing - Better interface enumeration - Better interface lists - Improve BigDecimal support - Improve robot support - Better icon support - Choose printer defaults - Proper allocation handling - Initial class initialization - More reliable p11 transactions - Improve NIO stability - Better loading of classloader classes - Strengthen Windows Access Bridge Support - Improved data set handling - Improved LSA authentication - Libsunmscapi improved interactions Non-security issues fix: - Do not resolve by default the added JavaEE modules (bsc#1120431) - ~2.5% regression on compression benchmark starting with 12-b11 - java.net.http.HttpClient hangs on 204 reply without Content-length 0 - Add additional TeliaSonera root certificate - Add more ld preloading related info to hs_error file on Linux - Add test to exercise server-side client hello processing - AES encrypt performance regression in jdk11b11 - AIX: ProcessBuilder: Piping between created processes does not work. - AIX: Some class library files are missing the Classpath exception - AppCDS crashes for some uses with JRuby - Automate vtable/itable stub size calculation - BarrierSetC1::generate_referent_check() confuses register allocator - Better HTTP Redirection - Catastrophic size_t underflow in BitMap::*_large methods - Clip.isRunning() may return true after Clip.stop() was called - Compiler thread creation should be bounded by available space in memory and Code Cache - com.sun.net.httpserver.HttpServer returns Content-length header for 204 response code - Default mask register for avx512 instructions - Delayed starting of debugging via jcmd - Disable all DES cipher suites - Disable anon and NULL cipher suites - Disable unsupported GCs for Zero - Epsilon alignment adjustments can overflow max TLAB size - Epsilon elastic TLAB sizing may cause misalignment - HotSpot update for vm_version.cpp to recognise updated VS2017 - HttpClient does not retrieve files with large sizes over HTTP/1.1 - IIOException "tEXt chunk length is not proper" on opening png file - Improve TLS connection stability again - InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection - Inspect stack during error reporting - Instead of circle rendered in appl window, but ellipse is produced JEditor Pane - Introduce diagnostic flag to abort VM on failed JIT compilation - Invalid assert(HeapBaseMinAddress > 0) in ReservedHeapSpace::initialize_compressed_heap - jar has issues with UNC-path arguments for the jar -C parameter [windows] - java.net.http HTTP client should allow specifying Origin and Referer headers - java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8 - JDK 11.0.1 l10n resource file update - JDWP Transport Listener: dt_socket thread crash - JVMTI ResourceExhausted should not be posted in CompilerThread - LDAPS communication failure with jdk 1.8.0_181 - linux: Poor StrictMath performance due to non-optimized compilation - Missing synchronization when reading counters for live threads and peak thread count - NPE in SupportedGroupsExtension - OpenDataException thrown when constructing CompositeData for StackTraceElement - Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader - Populate handlers while holding streamHandlerLock - ppc64: Enable POWER9 CPU detection - print_location is not reliable enough (printing register info) - Reconsider default option for ClassPathURLCheck change done in JDK-8195874 - Register to register spill may use AVX 512 move instruction on unsupported platform. - s390: Use of shift operators not covered by cpp standard - serviceability/sa/TestUniverse.java#id0 intermittently fails with assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded - SIGBUS in CodeHeapState::print_names() - SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls - Soft reference reclamation race in com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator - Swing apps are slow if displaying from a remote source to many local displays - switch jtreg to 4.2b13 - Test library OSInfo.getSolarisVersion cannot determine Solaris version - TestOptionsWithRanges.java is very slow - TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails intermittently - The Japanese message of FileNotFoundException garbled - The "supported_groups" extension in ServerHellos - ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to CompositeData - TimeZone.getDisplayName given Locale.US doesn't always honor the Locale. - TLS 1.2 Support algorithm in SunPKCS11 provider - TLS 1.3 handshake server name indication is missing on a session resume - TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes - TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth - tz: Upgrade time-zone data to tzdata2018g - Undefined behaviour in ADLC - Update avx512 implementation - URLStreamHandler initialization race - UseCompressedOops requirement check fails fails on 32-bit system - windows: Update OS detection code to recognize Windows Server 2019 - x86: assert on unbound assembler Labels used as branch targets - x86: jck tests for ldc2_w bytecode fail - x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization - "-XX:OnOutOfMemoryError" uses fork instead of vfork Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-221=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.2.0-3.18.1 java-11-openjdk-accessibility-11.0.2.0-3.18.1 java-11-openjdk-accessibility-debuginfo-11.0.2.0-3.18.1 java-11-openjdk-debuginfo-11.0.2.0-3.18.1 java-11-openjdk-debugsource-11.0.2.0-3.18.1 java-11-openjdk-demo-11.0.2.0-3.18.1 java-11-openjdk-devel-11.0.2.0-3.18.1 java-11-openjdk-headless-11.0.2.0-3.18.1 java-11-openjdk-jmods-11.0.2.0-3.18.1 java-11-openjdk-src-11.0.2.0-3.18.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): java-11-openjdk-javadoc-11.0.2.0-3.18.1

References

#1120431 #1122293 #1122299

Cross- CVE-2018-11212 CVE-2019-2422 CVE-2019-2426

Affected Products:

SUSE Linux Enterprise Module for Open Buildservice Development Tools 15

https://www.suse.com/security/cve/CVE-2018-11212.html

https://www.suse.com/security/cve/CVE-2019-2422.html

https://www.suse.com/security/cve/CVE-2019-2426.html

https://bugzilla.suse.com/1120431

https://bugzilla.suse.com/1122293

https://bugzilla.suse.com/1122299

Severity
Announcement ID: SUSE-SU-2019:0221-1
Rating: important

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved